Add a parameterized list of security groups to ano

2019-06-08 19:41发布

站内问答 / 后端开发
1127 2 5

I'd like to create a CloudFormation template that creates a security group resource that allows ingress from a variable list of other security groups. The template would take a parameter of type List<AWS::EC2::SecurityGroup::Id>. I'll name this parameter SourceSecurityGroupIds for this example. Then, it would create a security group resource using something like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz",
            "SecurityGroupIngress": [
                {
                    "IpProtocol": "tcp",
                    "FromPort": 1234,
                    "ToPort": 1234,
                    "SourceSecurityGroupId": { "Ref": "SourceSecurityGroupIds" }
                }
            ]
        }
    }
}

Of course, the SourceSecurityGroupId property of SecurityGroupIngress doesn't take a list. Is there a way to make this work?

Update - Feb 27, 2019

In retrospect, the correct way to do this is to create a LogSourceSecurityGroup, and allow ingress only from that security group. Then, add that security group to any EC2 instance, etc that should be able to communicate with the log server.

2条回答
该账号已被封号
2楼-- · 2019-06-08 20:28

SecurityGroupIngress parameter above is an array/list. So, define multiple ingress rules there.

e.g:

  "SecurityGroupIngress": [
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-12345"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-abcde"
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 1234,
      "ToPort": 1234,
      "SourceSecurityGroupId": "SG-54321"
    }
  ]
查看更多
0人赞 添加讨论(0) 举报
Ridiculous、
3楼-- · 2019-06-08 20:32

I know it's late so you already figure it out, but I just run into this same issue and I was able to fix it. You need to create a "Security Group Ingress" resource that will add the rule to an existing security group, so it would be like:

{
    "LogServerSecurityGroup": {
        "Type": "AWS::EC2::SecurityGroup",
        "Properties": {
            "GroupDescription": "XYZ security group",
            "VpcId": "vpc-abcxyz"
        }
    },
    "LogServerSecyrituGroupIngress" : {
        "Type" : "AWS::EC2::SecurityGroupIngress",
        "Properties" : { 
            "GroupId" : {"Ref" : "LogServerSecurityGroup"},
            "IpProtocol" : "tcp",
            "FromPort" : "1234",
            "ToPort" : "1234",
            "SourceSecurityGroupId" : {"Ref" : "SourceSecurityGroupIds"}
        }

   }
}

You can find more information here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html#cfn-ec2-security-group-ingress-groupid

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)